search

lieser / dkim_verifier

DKIM Verifier Extension for Mozilla Thunderbird
MIT License
208 stars 34 forks source link

DNSSEC validation not working #430

Closed Sharparam closed 6 months ago

Sharparam commented 6 months ago

There have been some issues made here in the past about DNSSEC, but none of the fixes discussed in those seem to work for me.

I've switched so the extension is using libunbound instead of the JS lib, and tried to explicitly use both 8.8.8.8 and 1.1.1.1 as the DNS server instead of the OS configuration. I am also not using any of the caching options or saving of DKIM keys.

Mails get the "Valid (Signed by <domain>)" but then the yellow warning with "DKIM key is not signed by DNSSEC", even though my domain has DNSSEC enabled, and the DNSSEC debugger shows no issues: https://dnssec-analyzer.verisignlabs.com/sharparam.com

The output from dig sg1._domainkey.sharparam.com +dnssec:

; <<>> DiG 9.18.21 <<>> sg1._domainkey.sharparam.com +dnssec
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49056
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags: do; udp: 1232
; COOKIE: 1a6c8aeb124506a8 (echoed)
;; QUESTION SECTION:
;sg1._domainkey.sharparam.com.  IN  A

;; ANSWER SECTION:
sg1._domainkey.sharparam.com. 300 IN    CNAME   sg1.domainkey.u41132253.wl004.sendgrid.net.
sg1._domainkey.sharparam.com. 300 IN    RRSIG   CNAME 13 4 300 20240130011328 20240127231328 34505 sharparam.com. 18zV0wIww/5rTzX0rqUGaFWDVa+S2cFGrAL2DC2c9sxm9QM3cWCIbPeu YWfMIP+dwS6PiKJ4pqMKesWBtYYnpg==

;; AUTHORITY SECTION:
wl004.sendgrid.net. 300 IN  SOA aisha.ns.cloudflare.com. dns.cloudflare.com. 2331969982 10000 2400 604800 1800

;; Query time: 17 msec
;; SERVER: 127.0.0.1#53(127.0.0.1) (UDP)
;; WHEN: Mon Jan 29 01:13:28 CET 2024
;; MSG SIZE  rcvd: 385

And the log output (with the debug logging enabled) from the extension in Thunderbird when verifying a DKIM signature (with "Reverify DKIM signature"):

Promise rejected after context unloaded: Actor 'Conduits' destroyed before query 'RuntimeMessage' was resolved
displayAction.mjs.js:47
DKIM_Verifier.Verifier  DEBUG    1 DKIM-Signatures found. verifier.mjs.js:1491:8
DKIM_Verifier.Verifier  DEBUG    Verifying DKIM-Signature 1 ... verifier.mjs.js:1506:9
DKIM_Verifier.Verifier  DEBUG    Parsed DKIM-Signature 1: 
Object { original_header: "DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=sharparam.com;\r\n\th=content-type:from:mime-version:subject:to:cc:content-type:from:\r\n\tsubject:to;\r\n\ts=sg1; bh=jun7giDYwf9o+C66LDpjnjT9rnpThIt/i+5kTQ3Ta5I=;\r\n\tb=nHAedYSIDaBZCIIDCIEWcj0LoUoHSaGOVT2vXlrLFudHDywZB7Judiua8btb+2P4amK+\r\n\tsJ1lMVZltmptk/d3o9t7ewa5s61zLic/7yapD7HfZX/iS81fMncndGyaDacLxMDavJes5q\r\n\tZiEt8UpcpidWNx8WQceLV0xb1v1RnGFvKGSlUW4wH6wuFzQzfX5vRR27heh4qNCxzBIQ/a\r\n\tXpYGFTYIKLxPoYH0R9W9dcAsDYS4HPxQtItSzOwuw4v33Ky/yE98NT6G2HXqeog4ByZD4s\r\n\tj/ui0KqyXohnubSNj/nJeo0Zi+neJyssnuA7GaE1crAM6TC1hIaNkF9BS4hzFp9w==\r\n", v: "1", a_sig: "rsa", a_hash: "sha256", b: "nHAedYSIDaBZCIIDCIEWcj0LoUoHSaGOVT2vXlrLFudHDywZB7Judiua8btb+2P4amK+sJ1lMVZltmptk/d3o9t7ewa5s61zLic/7yapD7HfZX/iS81fMncndGyaDacLxMDavJes5qZiEt8UpcpidWNx8WQceLV0xb1v1RnGFvKGSlUW4wH6wuFzQzfX5vRR27heh4qNCxzBIQ/aXpYGFTYIKLxPoYH0R9W9dcAsDYS4HPxQtItSzOwuw4v33Ky/yE98NT6G2HXqeog4ByZD4sj/ui0KqyXohnubSNj/nJeo0Zi+neJyssnuA7GaE1crAM6TC1hIaNkF9BS4hzFp9w==", b_folded: "nHAedYSIDaBZCIIDCIEWcj0LoUoHSaGOVT2vXlrLFudHDywZB7Judiua8btb+2P4amK+\r\n\tsJ1lMVZltmptk/d3o9t7ewa5s61zLic/7yapD7HfZX/iS81fMncndGyaDacLxMDavJes5q\r\n\tZiEt8UpcpidWNx8WQceLV0xb1v1RnGFvKGSlUW4wH6wuFzQzfX5vRR27heh4qNCxzBIQ/a\r\n\tXpYGFTYIKLxPoYH0R9W9dcAsDYS4HPxQtItSzOwuw4v33Ky/yE98NT6G2HXqeog4ByZD4s\r\n\tj/ui0KqyXohnubSNj/nJeo0Zi+neJyssnuA7GaE1crAM6TC1hIaNkF9BS4hzFp9w==", bh: "jun7giDYwf9o+C66LDpjnjT9rnpThIt/i+5kTQ3Ta5I=", c_header: "relaxed", c_body: "relaxed", d: "sharparam.com", … }
verifier.mjs.js:1508:9
DKIM_Verifier.Verifier  DEBUG    computed body hash: jun7giDYwf9o+C66LDpjnjT9rnpThIt/i+5kTQ3Ta5I= verifier.mjs.js:1256:7
WebExtensions: libunboundWorker: data: k=rsa; t=s; p=MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxR/NEf4ntGKLE9nAgYbXQHLkduZ+A4j0liDHbfwKElK1IAOqzgBMqOTqPTk/v6CpxpWWZyaokUPWNmpeOE9lpo/meIFipyNyzvi4xht+9BFXMGIfAxDMsBubtDq4G0eBvjvZhz/MZ7K7P7YsuHw49SzqCJFN24Z5TNa6h9uhhwRYahAaHqkToKnGkVbUtZaZ1s2T1HCzlDqDlWh1u6gx7LUIScc9WfEEO9N3KrvIegR1v9sNRWtGy2qjRJOiCgmtja348lwzdx9EkoeV73j7Do2hWYJC0hy1G2A7+3+wu/r0wKifeeGu/DlVgpTNlatBgdQuqj4KW66nzKKPoalCrQIDAQAB libunbound.js:243
WebExtensions: libunboundWorker: qname: sg1._domainkey.sharparam.com, qtype: 16, rcode: 0, secure: false, bogus: false, why_bogus: undefined libunbound.js:243
DKIM_Verifier.KeyStore  DEBUG    dns result 
Object { data: (1) […], rcode: 0, secure: false, bogus: false }
keyStore.mjs.js:373:7
DKIM_Verifier.Verifier  DEBUG    Warning: DKIM_POLICYERROR_KEY_INSECURE verifier.mjs.js:1283:10
DKIM_Verifier.Verifier  DEBUG    Parsed DKIM-Key: 
Object { v: "DKIM1", h_array: null, k: "rsa", n: null, p: "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxR/NEf4ntGKLE9nAgYbXQHLkduZ+A4j0liDHbfwKElK1IAOqzgBMqOTqPTk/v6CpxpWWZyaokUPWNmpeOE9lpo/meIFipyNyzvi4xht+9BFXMGIfAxDMsBubtDq4G0eBvjvZhz/MZ7K7P7YsuHw49SzqCJFN24Z5TNa6h9uhhwRYahAaHqkToKnGkVbUtZaZ1s2T1HCzlDqDlWh1u6gx7LUIScc9WfEEO9N3KrvIegR1v9sNRWtGy2qjRJOiCgmtja348lwzdx9EkoeV73j7Do2hWYJC0hy1G2A7+3+wu/r0wKifeeGu/DlVgpTNlatBgdQuqj4KW66nzKKPoalCrQIDAQAB", s: "*", t_array: (1) […] }
verifier.mjs.js:1403:7
DKIM_Verifier.Verifier  DEBUG    Header hash input:
content-type:multipart/alternative; boundary=981d80655a0a417b6bed9af1931126d1c0f2709b274cdcc9f63e730a037f

from:no-reply@sharparam.com

mime-version:1.0

subject:SendGrid keepalive message

to:sendgrid-keepalive@sharparam.com

dkim-signature:v=1; a=rsa-sha256; c=relaxed/relaxed; d=sharparam.com; h=content-type:from:mime-version:subject:to:cc:content-type:from: subject:to; s=sg1; bh=jun7giDYwf9o+C66LDpjnjT9rnpThIt/i+5kTQ3Ta5I=; b= verifier.mjs.js:1344:7
DKIM_Verifier.Verifier  DEBUG    Verified DKIM-Signature 1 verifier.mjs.js:1511:9
DKIM_Verifier.AuthVerifier  DEBUG    authResult:  
Object { version: "2.1", dkim: (1) […] }
authVerifier.mjs.js:220:7

I'm using Thunderbird 115.7.0 with version 5.4.0 of the DKIM Verifier extension.

OS is Arch Linux:

$ uname -a              
Linux melina 6.7.1-zen1-1-zen #1 ZEN SMP PREEMPT_DYNAMIC Sun, 21 Jan 2024 22:13:51 +0000 x86_64 GNU/Linux

Any ideas what might be going wrong?

lieser commented 6 months ago

I'm pretty sure this is a problem with the DNSSEC configuration and not the add-on.

On the analyzing site you need to enter the full DNS name not just the top domain, i.e. https://dnssec-analyzer.verisignlabs.com/sg1._domainkey.sharparam.com

It seems the problem comes from the entry only being a CNANE record, and the sendgrid.net domain it points to not supporting DNSSEC.

Sharparam commented 6 months ago

Ah, I see. In that case this would be up to SendGrid to fix, but seems doubtful they would. There's apparently some kind of downside to DNSSEC which can make attacks worse.

This sadly makes the DNSSEC verification feature feel kinda pointless, since the big players don't seem to be using DNSSEC (Google doesn't, for one), so "DNSSEC failed" is not a red flag when legit players don't use it.

lieser commented 6 months ago

Yes DNSSEC semms to not be very commonly used. So treating not DKIM signed keys even just as warnings adds to much noise to be useful.

I think the positive lock symbol for DNSSEC signed keys is still nice, but the DNSSEC feature is unfortunately not as useful as I hoped when I implemented it.

But unless it will become a big burden to maintain still something that I currently intend to continue to support.

I will close the issue as I think all your questions are now answered, if not feel free to reopen it.